There’s now a threat to online life that’s so potentially potent it requires a new form of defence. Rootkits hide inside the operating system, actively defending themselves and hiding their presence.
To arm your system against rootkits, you first need to understand them. So, where have they come from, how have they evolved and how, crucially, can they be stopped?
A rootkit is a program that allows a hacker to come and go as he pleases, unhindered by your computer’s defences. No firewall will stop him and no antivirus program will detect his activities. Rootkits subvert the way the operating system works to make it lie about the processes, files, Registry entries and kernel modules that might give away the rootkit’s presence to humans and antivirus software.
Unlike viruses, rootkits have had a low profile for the past 20 years, but that’s changing as their methods merge with those of mainstream malware to produce a threat that requires dedicated software to deal with it.
The name ‘rootkit’ comes from the ‘superuser’ account in Unix (and Linux). This is called ‘root’, and logging into it gives the user complete control over the computer, arguably even more so than an administrator account does in Windows. Normally, only a system administrator has access to root because it’s so powerful.
For a hacker, simply gaining access to the root account isn’t enough. He must also keep his tracks hidden from alert system administrators. Because of this, rootkits modify system files to remove evidence of the hacker’s presence and make it look as if nothing is out of place.
The history of the idea behind rootkits stretches back to the late 1980s, when the first log cleaners began to emerge. After gaining root access by hand to Unix computers, hackers would upload a log cleaner program to manually delete entries in the operating system’s event log, and in some cases to reset the timestamp on the log file to before the intrusion.
In the early 1990s, Sun Microsystems’ SunOS (a type of Unix) became the focus of attempts to create the first true rootkits. In 1990, hackers Lane Davis and Steven Dake produced a proof-of-concept rootkit that effectively set the mould for future rootkit functionality.
Launching an attack
Twenty years on, it’s still recognised that rootkits have three functions to perform. First, they must compromise the target computer to gain and maintain control for their owner. This is thought to be the origin of the term ‘to own’ a computer.
In order for a hacker to gain remote access, the rootkit first needs to establish a secure communications channel. To stop the computer’s firewall preventing this, it may hijack a port over which legitimate traffic already flows rather than opening its own. It’s not unusual for a rootkit to take advantage of port 80, which is usually open to allow the user to surf the web.
The list of techniques for establishing a foothold and the number of communications channels available grows as the sophistication of rootkits develops. It’s this ease with which access can be gained, maintained and hidden that has researchers very worried about the rise of this particular form of malware.
The second function of a rootkit is to attack the local system (or others on the local network) to create an environment for the hacker that’s safe from detection. One approach is modifying the system’s kernel or libraries to replace system calls with its own.
This is important because the rootkit needs to make calls that return information about the state of the running system while leaving out anything to do with the rootkit itself. Because they rely on standard kernel system calls, it’s almost impossible for most antivirus software to detect rootkits without using special techniques that check the integrity of the data the system provides.
The attack functionality in some rootkits is as impressive as it is sinister. Some actively launch denial of service attacks against other systems on the local network if they suspect them of harbouring intrusion detection systems, for example.
They can do this by interrogating the network cards on other computers to see which are in ‘promiscuous’ mode. That means that they’re set to read all data that goes past. This is a good indication that software is running that reads and analyses such network traffic for signs of intrusion.
Rootkits sometimes also sample data on the local network to find usernames and passwords that they can collect for the hacker to download later.
The third crucial element to a rootkit’s functionality, and the part that makes them particularly stealthy, is the way they cover their tracks. This is where the programs have become incredibly ingenious in a very short space of time.
Part of this rapid growth in functionality is down to how modern kernels work. Operating systems contain a central kernel that sits between the running applications and the computer’s hardware. It’s the job of this kernel to govern access to peripherals and allocate system resources, such as time on the CPU and memory space. If the kernel consisted of a single monolithic lump of code, it would be very inflexible.
If you were to add a new peripheral, for example, you’d have to install a new kernel with support for that peripheral. In the early days of Linux, this meant that you had to recompile the kernel to contain the modules you required to run all your hardware.
Modern operating systems (including current versions of Linux and Microsoft Windows) use a system of loadable kernel modules (LKMs). If a certain type of hardware is detected when the operating system boots up, the kernel loads the specific module required to run it. This keeps the size of the running kernel as small as possible, saving RAM, and it means that individual modules can be upgraded without having to recompile the whole kernel.
Because of the advantages offered by LKMs, even central but potentially optional kernel functionality has become modular. However, this has arguably made the job of the rootkit writer easier. If he can replace an LKM with his own version of the kernel module, then he can make it do whatever he wants.
A Windows kernel module subroutine designed to return a list of running processes, for example, might be made to return all but those connected with the running rootkit. Detection methods that rely on spotting unusual system processes to identify malware will fall for this.
Another method of detecting rootkit activity is to spot system files whose permissions have changed unexpectedly. Subvert the module that returns these permissions and a rootkit can fool anti-malware packages.
There’s now a shift in focus for rootkit developers from Linux and Unix to Microsoft Windows. Windows rootkits are gradually morphing into stealthy versions of other forms of malware. Today they may contain keyloggers that collect information for selling to identity thieves or botnet clients. Because kernel modules and other code can be made to return incorrect results by a rootkit, any detection utilities must be careful to only use their own subroutines and to check their integrity before use.
One method of doing this is calculating checksums from the running detection routines that only come out right if just the original code is present. Change one byte and the checksum is wrong. Despite these difficulties, easy-to-use antirootkit software for Windows is becoming available – and much of it is free.
One such application is Sophos Anti-Rootkit. After downloading the executable, run it and accept the licence agreement. On the next screen, click ‘Install’ and then ‘Yes’ to run the installed application.
The user interface is simple. First, decide on the parts of the system you’d like to scan. This includes the running processes, the Registry and files on local hard drives. If you have Sophos Anti-Virus installed, then the ‘Extensive scan’ tickbox will become available. This enables the program to scan all files on the disk, rather than just hidden ones.
Click on ‘Start Scan’ to make the software get to work. The full scan can take a long time, mostly due to the number of files it must scan on the local hard disks. Don’t be alarmed if the upper pane starts to fill with files. In the majority of cases, these are listed just because they’re files that have their hidden attribute set so that users can’t accidentally delete them (for example, an uninstaller file for an application).
Click on an entry in the upper pane and its details are displayed in the lower one. One of the bits of information is whether the file is removable. For files that Anti-Rootkit doesn’t recognise but doesn’t consider dangerous, you’ll see the text: ‘Yes (but cleanup not recommended for this file)’. For those you should clean up, this text will be: ‘Yes (cleanup recommended)’.
Once the scan is complete, select the files, processes and Registry entries that Sophos recommends you delete by clicking on the tickboxes to the left of their entries in the left-hand pane. Now click the ‘Clean up checked items’ button. A warning box will ask if you’re sure you want to remove the items.
If you confirm that you want to delete the items, they’ll be removed and Anti-Rootkit will prompt you to restart your computer. Once rebooted, you should immediately re-run Anti-Rootkit to make sure that the suspected rootkit infection isn’t clever enough to heal itself and recreate the file, process or Registry key.
When you run Anti-Rootkit, the user interface will give you a summary of the actions it took and whether they were successful. If everything is now clean, you’re OK; if not, Sophos itself can help.
Go to this secure website, fill in your details and a contact method, and click ‘I want to submit a | Sample file’ on the dropdown menu. Click on ‘Continue’, fill in the operating system and version details and enter a note about your suspicions in the textbox. Click ‘Continue’ again.
You’ll be asked to upload three files. Click the ‘Browse’ button and navigate to C:\Documents and Settings\
Once the uploads are done, click ‘Submit’. Sophos support will look at the files and advise you by the contact method you chose.